Firewall rule to block DNS quieries to external DNS servers.



  • Hello all, I am trying to create a firewall rule on the LAN to block DNS queries to external DNS servers except those DNS queries originating from DNS server (192.168.168.1).

    So far I have attempted created a rule of

    Block TCP/UDP if source IP is not 192.168.168.1 to ANY destination IP using destination port DNS-DNS

    The rule doesn't work as I expect and queries from DNS server (192.168.168.1) are blocked.  What am I doing wrong any direction on creating this rule?

    On a side note this is the only rule I've implemented.



  • Made a small mistake

    block  UDP  lan net    *    !192.168.168.1    53      *

    ipconfig /flushdns (From windows command prompt)



  • I'm a new user to pfSense so maybe I'm just missing somehting…  Thanks for the suggestion, I modified the rule with no luck all DNS packets are blocked from all hosts except those hosts using pfsense as their DNS server.  ???

    Below are the only rules visible via the WebGUI.

    Firewall Rules - LAN
             Proto        Source                    Port   Destination   Port          Gateway   Sch.    Desc.
    Block  TCP/UDP    ! 192.168.254.245    *       *                53 (DNS)    *             ----     DNS

    Firewall Rules - WAN
    Default RFC1918

    Correct the logic but if a packet reaches pfsense and is processed against the above LAN rule, the firewall should say IF DNS query packet is NOT from 192.168.254.245 BLOCK!  If it matters any, which it shouldn't because DNS is DNS, 192.168.254.245 is a Windows Server 2003 host.



  • If i apply you rule on LAN2 LAN3 it works right away
    On LAN the Behind the sceen rules takes over.

    First make sure that you have the default Lan rule below your block rule so you can access the web gui
    Go to System -> Advanced  and tick "webGUI anti-lockout" and save
    Then i had to reboot my lan client.

    Now you rule should work. Though i can't toggle the rule on and off as i would wish, prolly there is more to the behind the sceen rule that i know of.



  • Thank you for your help.  I did a factory restore and it works as it should now.  I'm not sure what happened to the config, only thing I can think of was deleting the Defualt LAN rule changed the logic of the firewall.  ???

    All is well now thanks again, I'm really liking pfsense even better than IPCop!



  • Ok the final resolution was to take the simple route out…  After disabling the defualt LAN rule wich is ANY to ANY DNS once again failed.  Taking the simple route created a block all DNS rule and a single allow DNS rule for aformentioned IP address and communications proceeded as expected.

    Network layout

    ------------                                      ------------              ------------
    |  Internet  |  === < ADSL modem | === |  pfSense  | ======  |    LAN    |
    ------------                                      ------------              ------------



  • I used the following rule to block foreign DNS server: (192.168.1.1 is my DNS' ip)

    
    Protocol: TCP/UDP
     Source:
       * Port: *
     Dest:!192.168.1.1
       Port: 53 (DNS) 
     Gateway:*
     Description: block foreign DNS 
    Protocol: *
     Source: LAN net
     Source:*
       Port:*
     Dest:*
       Port:*
     Description: Default LAN -> any 
    

    If any client queries to foreign host (for DNS at port :53)) that differs from 192.168.1.1, we block it!

    That's ok for me:)


Locked